While monitoring botnet traffic and controllers back in mid-2009, volunteers working for The Shadowserver Foundation noticed a new tactic being taken among the Waledac family of bot trojans that would usher in a new era of criminal sophistication. Waledec was exploiting DNS (domain name system) providers to self-register sites with names that seemed associated with legitimate service provider Blizzard Image Hosting. Then it used Blizzard’s real addresses and URLs to blast the spam that also included links to the malicious, preregistered domains.
“At this point we immediately suspected that Blizzard either bought sleazy advertising from the spammers behind Waledac, or else they were being Joe Jobbed,” says Steven Adair, Shadowserver volunteer and co-author of Malware Analysis Cookbook. “Joe-Jobbed means Blizzard upset someone who started blasting out their website and services in order to cause a lot of grief.”
SOS postings from Blizzard on its site and in multiple online forums seemed to confirm the latter theory. Blizzard claimed it was under a distributed denial-of-service (DDoS) attack and was not the one actually doing the spamming. Shortly after, Blizzard went offline.
This leveraging of legitimate businesses to lure people into clicking malicious links shows a new level of criminal planning and sophistication that would dominate 2010, says André DiMino, one of the founding members of Shadowserver.org, whose volunteers have been analyzing botnet behaviors since 2004.
Fortunately, he adds, the good guys are getting more automated and organized as well – with better information-sharing and legal channels at their disposal. For example, in the Waledac case, Microsoft in February 2010, received a federal injunction demanding registrars to shut down 277 .com domains used to control more than 75,000 Waledac-infected computers, effectively putting the botnet operation out of business.
The other good news is that, unlike the good guys, there is no honor among thieves: Crimeware developers are pirating and modifying each other’s malware for their own nefarious uses. Criminal operators providing cloud services for hosting servers to hold stolen data are stealing the data their clients are collecting. And herders continue to take over each other’s botnet power, say experts.
Cutthroat bad guys
In 2010, the cybercrime industry hauled in about $1 trillion, says Joseph Menn, in his book Fatal System Error. So it is no surprise that advancements in cybercriminal organization and sophistication have everything to do with getting a larger slice of that pie, says Noa Bar-Yosef, senior security strategist for application security firm Imperva.
“The point is to increase revenues while lowering costs,” she says. “As a result, there is a pyramid scheme that is emerging in these criminal roles where only the master hacker really makes any money.”
Last July, Imperva researchers observed how a master hacker created and tested a new, undetectable phishing kit and advertised it on forums, claiming “No need for storage,” because the master hacker would store all data collected in the cloud. Two clicks and the “proxy hackers” [front-end hackers] could get the phish site, start obtaining credentials and send them to their cloud storage provider. However, the master hacker put a back door on the phishing kit, giving access to every credential the proxy hackers collected.
“Thousands of proxy hackers taking the risk, doing the dirty work, getting credentials and giving the data they collected back to the master hacker — that’s certainly efficient from a cost perspective,” says Bar-Yosef. “This pyramid scheme is an example highlighting the technical extremes hackers are deploying.”
This cutthroat mentality is creating more discord than normal among criminals, say experts. Accusations are hurtling back and forth among underground forums, adds Alex Cox, senior security researcher at NetWitness.
“Messages including ‘This guy’s a ripper,’ or ‘Don’t use this one, it is a ripoff,’ or ‘This one’s backdoored,’ are common postings where malware kits are being shared,” Cox says. “A lot of times, criminals can get this exploit for free and install it, but the coder has backdoored it. So criminals create botnets and, in effect, give access to those bots to the guy they bought this software from.”
Another dog-eat-dog tactic happening among malware producers is that developers are also stealing each other’s zero-days to customize and use for their own purposes, says Derek Manky, projecet manager for cybersecurity and threat research at Fortinet.
For example, he points to a Slovenian-built botnet kit called Butterfly, a zero-day that was later re-engineered to create the Mariposa botnet long after the original developer was sent to jail. The toolkits eventually lose value and are given away for free for re-engineering, he continues, and are given away to anyone smart enough to run a compiler and push a few buttons to get started, he adds.
In addition to developers, there are also providers that often sell their botnet services as “affiliate programs,” Manky said. The affiliate will pay $40 per 1,000 compromised machines, for example. Top earners in these programs make upward of $140,000 a month on volume, he adds.
Turning stolen data into money is the final process in these cybercriminal syndicates.
This, too, has become so efficient that criminals can go from stolen credentials to ATM card withdrawals in a matter of hours, rather than days and weeks, as in the past. According to a report by internet security firm Trusteer, 60 percent of stolen credentials are harvested within 60 minutes of when phishing emails are received by victims. Within five hours of email receipt, more than 80 percent of stolen credentials are usable by criminals.
One such example is the RBS WorldPay heist, in which several Russian defendants are accused of siphoning at least $9.5 million in less than 12 hours from the time of the data breach. In that time, they were able to create 44 counterfeit cards and hire cashers to use the cards in 2,100 ATMs around the world.
“You still have the coders, the operators, those who draw the data and those who monetize the data,” says Fred Touchette, senior security analyst for AppRiver. “Now, the RBS case shows how quickly all these people can be orchestrated to create the plastic cards, recruit the money mules to hit the ATMs, take their cut and give the rest to their managers standing on the corner.”
The good guys
The level of automation, optimization and distributed architectures of these criminal operations makes shutting them down more difficult. For example, DiMino points to redundancies, proxies, domain name generation algorithms and other technologies that make cybercriminal networks extremely resilient and therefore persistent.
Cybercriminals are also making it more difficult to observe and learn from them, says Dmitry Samosseiko, senior manager of Sophos Labs Canada.
“Cybercriminals used to operate in more open forums that researchers and law enforcement could browse and observe to find out what the crime networks and their affiliates are up to,” he says. “Now that activity is happening in closed chat rooms and it is harder to get into forums and infiltrate their networks.”
It is also harder to protect against cybercriminal activity with traditional signature and behavior-based monitoring technologies, say experts.
For example, zero-day attacks, which typically are undetectable to signature-based monitoring, are on the rise, according to an endpoint risk survey by the Ponemon Institute, released in December, of 564 U.S. IT security practitioners. In the survey, 34 percent of respondents reported frequent zero-days in their networks and 35 percent said zero-days were their biggest headache.
“Zero-days, plus lack of patching on increasingly mobile endpoints [where many attacks enter from] is where much of the operational challenge comes in,” explains C. Edward Brice, senior vice president at Lumension (which sponsored the survey).
Fortunately, the good guys have been forming partnerships to combat cybercrime, DiMino says. Grassroots monitoring groups, such as Shadowserver and the Anti-Phishing Working Group, along with law enforcement and legal communities, the security community, as well as public-private partnerships across all verticals – are established and expanding their outreach.
“Like never before, we’re seeing experts in the community for malware analysis mixing with those who understand routing and architectures, those who understand criminal enterprises, those who work in law enforcement, and those who work with external network service provider,” says DiMino.
By sharing information and providing remediation and protection recommendations, the good guys are becoming more nimble at response communications, remediation and notification to law enforcement, say experts. And as a result of improved response and enforcement, says Bar-Yosef, criminals are indeed “feeling the heat.”
In an article about the industrialization of hacking, Noa Bar-Yosef, senior security strategist at Imperva, discusses the three pillars of cybercriminal industrialization:
- The supply chain: consisting of malware researchers, botnet farmers, dealers, monetizers and the cybercrime lord;
- Automation: using Google to find vulnerable systems, malware packages, cloud services providers, and more; and
- Optimization: more computing power under control, dashboards, the co-joining of malware tools.
– Deb Radcliff
Photo: Some hacker forums offer phishing kits for sale.